[Openid-specs-ab] Issue #1629: [Federation] aud of request object (openid/connect)
Takahiko Kawasaki
issues-reply at bitbucket.org
Thu Sep 1 14:24:56 UTC 2022
New issue 1629: [Federation] aud of request object
https://bitbucket.org/openid/connect/issues/1629/federation-aud-of-request-object
Takahiko Kawasaki:
The OIDC Federation specification requires that the value of the `aud` claim in a request object presented at the authorization endpoint be the URL of the authorization endpoint.
### OIDC Federation 1.0, [Authentication Request](https://openid.net/specs/openid-connect-federation-1_0.html#name-authentication-request)
> The Audience \(aud\) MUST be the URL of the Authorization Server's Authorization Endpoint.
However, the requirement conflicts with descriptions in other specifications.
### OIDC Core 1.0, [Section 6.1](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject)
> The `aud` value SHOULD be or include the OP's Issuer Identifier URL.
### RFC 9101, [Section 4](https://www.rfc-editor.org/rfc/rfc9101.html#section-4)
> The value of `aud` should be the value of the authorization server \(AS\) `issuer`, as defined in [RFC 8414](https://www.rfc-editor.org/rfc/rfc9101.html#RFC8414) \[[RFC8414](https://www.rfc-editor.org/rfc/rfc9101.html#RFC8414)\].
The requirement in the OIDC Federation should be changed to align with other specifications. Otherwise, OIDC Federation-compliant AS implementations will face problems when they try tests of the official OpenID conformance suite.
More information about the Openid-specs-ab
mailing list